Signing Ruby gem: Would s.signing_key in gemspec be removed when generating gem?

Question

I want to sign a Ruby gem and was following the instruction in http://docs.rubygems.org/read/chapter/21 It says, "Keep your private key hidden". But in order to sign the gem, we have to put "s.signing_key = '/mnt/floppy/gem-private_key.pem'" in gemfile. If this line is not removed after generating gem, everybody can see it after installing the gem from RubyGems.org. (Not that they can access my computer easily, but still.) Would that line automatically be removed from gemspec when gem is generated?

I usually build gem by "rake release" of Bundler. So this time I tried "gem build mygem.gemspec" instead. But it caused some OpenSSL error. So I cannot check the generated gem.

Thank you in advance.

Answer 1

No, the signing_key entry in your gemspec will not be removed. It will be public, so people will be able to see the file location of your signing key.

As you mentioned, this doesn't mean people will have access to it, but they will know where it would be if they could get access to your system.

You can inspect exactly what is published in the gemspec along with the gem by using the gem unpack command to export the contents of an installed gem:

gem unpack GEMNAME

Hope this helps!